October 16, 2021

Volume XI, Number 289


October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

California Consumer Privacy Act Will Impose New Obligations on Businesses that Collect Consumer Data from California Residents

In California − the World’s seventh largest economy and a state that comprises roughly 40 million people − state lawmakers have passed a new law that aims to protect the privacy of consumers, and specifically details new notice requirements for those businesses that are collecting data from consumers on the web or even through conventional means at their brick-and-mortar locations.

On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect, granting an increased right of privacy to consumers for the collection and sale of personal information. Similar bills have been proposed in Hawaii, Maryland, Massachusetts, New Mexico, Rhode Island and Washington. The new law gives consumers the right to ask businesses what types and categories of information they are collecting, requires businesses to disclose their purpose for collecting and selling the information, and provides consumers with a mechanism to exercise the option to opt out of the collection and delete any of their personal information already collected. This new law will, of course, affect as well the consumer product manufacturers that are collecting the personal information of their California consumers for warranty purposes.

The California Attorney General proposed regulations for the CCPA on October 10, 2019, which not only provide guidance to businesses for compliance but also imposes additional requirements not found in the CCPA. These regulations are set to be enforced beginning July 1, 2020. With the landscape of this legislation continuously moving, it is vital that businesses remain informed and proactive in their compliance.

The CCPA requires businesses to provide a Notice at Collection, which must be given to the consumer at or before any personal information is collected, and a Notice of Right to Opt Out of Sale, which must be clearly posted on the businesses’ webpage in conjunction with a “Do Not Sell My Personal Information” link. While businesses may not discriminate against a consumer for their decision to opt out, businesses may offer financial incentives to those consumers who do permit the collection of their personal information. Additional notice is required when businesses expand or alter the information being collected. The proposed regulations also require notice even where information is collected offline at brick-and-mortar stores.

A significant additional requirement proposed by the regulations requires businesses to acknowledge a consumer’s browser plug-ins and privacy settings as a communication exercising the right to opt out, and potentially a reversal of a consumer’s previous request to opt out. There is little guidance on how businesses should go about monitoring consumers’ browser settings, leaving much of the onus on businesses to develop and implement methods to avoid missing a consumer’s opt-out designation.

In addition to the notice requirements, the other main components of the CCPA and accompanying regulations are Right to Know and Right to Delete requests. Consumers have a right to request, and businesses have a duty to disclose, the categories and specific pieces of information being collected, the sources from which this information is collected, the purposes for collecting and selling this information, and the identity of third parties to whom this information is sold. Businesses must offer consumers at least two methods of submitting these requests. All requests must be verified, and the regulations offer a two-step process that satisfies compliance. The regulations also mandate that all unverified Requests to Delete be treated as Requests to Opt Out. Finally, a record of all requests and responses must be retained by businesses for at least 24 months.

This brief summary makes clear that states are becoming increasingly serious regarding the protection of consumers’ privacy rights, while the responsibility of businesses to protect these rights is becoming more and more onerous in turn. With the deadline for written comments to the proposed regulations set for December 6, 2019, it is all but certain that amendments, additions and supplements will be released. We will continue to monitor this legislation and report as the regulations evolve.

© 2021 Wilson ElserNational Law Review, Volume IX, Number 326

About this Author

Marisa Trasatti Partner Baltimore Complex Tort & General Casualty Commercial Litigation Environmental Italy Pharmaceuticals & Medical Devices

Marisa Trasatti focuses her practice primarily on civil litigation, with an emphasis on product liability litigation, including cases involving drugs and medical devices. She serves as outside General Counsel for Sciton, Inc., a prominent medical and dermatological laser company based in Palo Alto, California. Marisa has experience litigating medical malpractice and insurance defense cases and has defended, locally and nationally, several large corporations in connection with toxic tort litigation. Her experience in life sciences includes domestic and international regulatory issues;...

Reagan Y. Greenberg Associate Baltimore Insurance & Reinsurance Defense Product Liability, Prevention & Government Compliance

Reagan Y. Greenberg works with the firm’s commercial litigation practice representing individuals, companies and insurance carriers in a variety of matters, including premises liability, negligence, insurance defense, and products liability claims.

Prior to joining Wilson Elser, Reagan served as judicial law clerk to the Honorable Michele D. Hotten of the Court of Appeals of Maryland.